* This vulnerability appears to have existed from at least Internet Explorer 5.0.
* It is suspected that all versions of Internet Explorer on all supported platforms are affected.

The vulnerability specifically exists in the parsing of reply lines from remote FTP servers. During an FTP session, the client makes requests for the server to perform some operation and the server responds with a numeric code, a human readable message and possibly some other information. As there can be multiple lines in a reply, code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure. By sending a specially crafted series of replys to the client, the heap may be corrupted in a controlled way to cause the execution of arbitrary code.

Successful remote exploitation of this vulnerability would allow a attacker to execute arbitrary commands in the context of the currently logged in user.

In order to exploit this vulnerability, the attacker must convince the target to follow a link in a program which uses the vulnerable functions, such as Internet Explorer, Word, or Outlook. For any of these applications it is sufficient to embed an image linked to a malicious ftp server, but for modern versions of Outlook, the image will not render unless the user allows it.

The portion of the heap management structure overwritten is used to determine the length of the allocation it refers to. In combination with another less severe vulnerability in the FTP code, which allows a remote attacker to see a valid memory address, it may be possible to cause reliable remote exploitation.

Workaround:
Blocking outgoing port 21 (ftp) requests is not effective, as this it is possible to supply an ftp URL with an alternative port. It may be possible to limit exposure to this vulnerability by configuring systems to use a proxy server for all ftp requests and only allowing white-listed sites.

Vendor Status:
Microsoft has addressed this vulnerability within MS07-016.